9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.7 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
70.7%
Issues were identified in libcurl, which is packaged with the IBM MQ Queue Manager Container image. These issues are now fixed, and the fixes are shipped with the latest IBM MQ Operator and IBM-supplied MQ Advanced container images.
CVEID:CVE-2023-38546
**DESCRIPTION:**cURL libcurl could allow a remote attacker to bypass security restrictions, caused by a flaw in the curl_easy_duphandle function if a transfer has cookies enabled when the handle is duplicated. By sending a specially crafted request, an attacker could exploit this vulnerability to insert cookies at will into a running program.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268046 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2023-38545
**DESCRIPTION:**libcurl and cURL are vulnerable to a heap-based buffer overflow, caused by the improper handling of hostnames longer than 255 bytes during a slow SOCKS5 proxy handshake. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268045 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM MQ Operator |
**CD:**v2.4.0 - v2.4.4, v2.3.0 - 2.3.3, v2.2.0 - v2.2.2, 2.3.0 - 2.3.3
IBM supplied MQ Advanced container images|
CD: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus,
9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.1.0-r1, 9.3.1.0-r2, 9.3.1.0-r3,
9.3.1.1-r1, 9.3.2.0-r1, 9.3.2.0-r2, 9.3.2.1-r1, 9.3.2.1-r2, 9.3.3.0-r1, 9.3.3.0-r2, 9.3.3.1-r1, 9.3.3.1-r2, 9.3.3.2-r1
Issues mentioned by this security bulletin is addressed in IBM MQ Operator v2.4.5 CD release that included IBM supplied MQ Advanced 9.3.3.2-r2 container image. IBM strongly recommends applying the latest container images.
**IBM MQ Operator 2.4.5 CD release details:
**
Image
|
Fix Version
|
Registry
|
Image Location
—|—|—|—
ibm-mq-operator
|
v2.4.5
|
|
ibm-mqadvanced-server
|
9.3.3.2-r2
|
|
ibm-mqadvanced-server-integration
|
9.3.3.2-r2
|
|
ibm-mqadvanced-server-dev
|
9.3.3.2-r2
|
|
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm mq certified container software | eq | 2.4.5 |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.7 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
70.7%